On Thursday, 29 December 2022 at 19:40 (+0100), Jaron Kent-Dobias wrote:
It's possible that some subscribers forward their mail to another
address, which I find often results in SPF failures with severity
depending on how the forwarding server is configured.
Possible and true: here's an excerpt of one DMARC report this morning
(from yahoo.com):
1 messages matching from mail-yw1-f175.google.com: none (DKIM: ✓ pass;
SPF: ✘ fail)
From: kent-dobias.com
=> DKIM: ! kent-dobias.com
=> SPF: + gmail.com
1 messages matching from mail-pf1-f182.google.com: none (DKIM: ✓ pass;
SPF: ✘ fail)
From: kent-dobias.com
=> DKIM: ! kent-dobias.com
=> SPF: + randomink.org
1 messages matching from mail-pj1-f53.google.com: none (DKIM: ✓ pass;
SPF: ✘ fail)
From: kent-dobias.com
=> DKIM: ! kent-dobias.com
=> SPF: + randomink.org
1 messages matching from mail-yb1-f172.google.com: none (DKIM: ✓ pass;
SPF: ✘ fail)
From: kent-dobias.com
=> DKIM: ! kent-dobias.com
=> SPF: + gmail.com
6 messages matching from lists.archlinux.org: none (DKIM: ✓ pass; SPF: ✘ fail)
From: kent-dobias.com
=> DKIM: ! kent-dobias.com
=> SPF: + lists.archlinux.org
Lots of SPF fails, many because I do not list lists.archlinux.org as an
approved sender, but many also because another mail server delivered the
final message.
Most mail operators are aware that forwarding is common and breaks SPF,
and if DKIM is present and valid tend to ignore the failure or use
contextual information to infer if the mail is forwarded or not.
I used to have problems using a DMARC hard fail (-all) with some
forwarders who break DKIM or fail to implement their own valid SPF (note
the "+ domain.tld" SPF records), so I switched to soft fail (~all) to
prevent this. Universities tend to be very bad in this regard...
Jaron
